The Scenario:

Assess:

Is this email a problem?

It certainly appears to be appealing to the recipients fears with the scary legal language. There's a typo or two in there that might make you suspicious. Real or not, a document like this should be brought to the attention of your security/legal departments. So it's likely a problem of one sort or another.

What is it?

You could start by checking into the source of the email and the domain hosting the link. In this case, the originator appears to be a mail-server for a small city. The domain has been around for nearly a year, but was just updated a few days ago. Domaintools.com is your friend.

If you're equipped for it, you may ant to start by checking out the document by pulling down to a safe machine. In my case it's a unix box since it appears to be a word document. I craft a simple wget script to pull the file down looking like a vulnerable version of IE.

Looking at the earlier diary entry we see results from Anubis showing some network activity. Now we have a couple of things to look for to measure impact:

Email details to search our mail-logs to determine who received the lure message.

The URL of the initial downloader to see who clicked on it and brought it into the network.

The network behavior of a system that executed the code.

How bad is it for us?

Using those details it's time to evaluate the impact this attack has had on your firm. If you have anyone who downloaded the file, or evidence of a machine reaching out for the next-stage then you pull your Malware Incident response document off of the shelf and follow that. We all have differing levels of documentation to refer to, but there's always some sort of plan, even if it's "update resume."

Protect

While you're assess the impact (greps take a while to run sometimes) you have some information that you can leverage to protect the people in your network. You have email addresses and URLs to block and malware to submit to your vendor (assuming they're not on the virustotal list like mine wasn't.) Acting quickly on this protection phase makes your clean-up phase go easier.

Respond/Clean-up

Now that you have your list of machines that were exposed and your Malware incident response document handy, you follow that to make your systems and network all shiny and clean.

Report

This step is important.

In my environment, my boss likes to know what it is that I'm doing in the dark data closet. So keeping track of the event, it's impact, etc. is good for not only tracking the incident, but also review time.

When you were researching the IP that sent the email and hosting the URL (you still have that up in a browser, right?) it is also critical that you report that to the abuse contacts. Send a kind email reporting the issue, (because they'll likely get a few reports, and most of them might not be so kind.) which helps more than just your own environment.

Learning from Others/Helping Others

You will want to follow a similar process in response to events reported here and in other blogs and media. It not only helps protect you from what is hitting other folks, but you may also uncover a gap in your internal detection process.

By submitting malicious URLs to proxy-filter vendors, and malware to AV vendors you help protect not only your environment, but also your neighbors. If fewer of your neighbors are getting infected, then that's fewer spam-bots, and phishing-sites the eventually target you.

On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010.
Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36.
The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchstone Advisories Inc is a victim of Copyright infrigement
hXXp://www.touchstoneadvisorsonline.com/lawsuit/suit_documents.doc
Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010.

Sincerely,

Mark R. Crosby
Crosby & Higgins LLP

The law-firms named in the email, header, and sending server all appear to be a mish-mash of existing firms.

If a user clicks on the link and opens the document it will attempt to download additional payload.